System and method for detecting fraudulent transactions

ABSTRACT

Some demonstrative embodiments of the invention include a system and method for detecting related transactions, e.g., fraudulent transactions by for example associating transactions and creating lists of related transactions. Other embodiments are described and claimed.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a National Phase Application of PCT InternationalApplication No. PCT/US2006/039638, entitled “SYSTEM AND METHOD FORDETECTING FRAUDULENT TRANSACTIONS”, International Filing Date Oct. 11,2006, published on Apr. 19, 2007 as International Publication No. WO2007/044763, which in turn claims priority from US Provisional PatentApplication No. 60/724,877, filed Oct. 11, 2005, both of which areincorporated herein by reference in their entirety.

BACKGROUND OF THE INVENTION

In the world of online financial transactions, there is an increasingneed for detecting fraudulent transactions. Current fraud detectionmethods may cancel particular transactions involving a stolen creditcard, or may identify fraud based on a purchase unsuitable to a userprofile. However, these technologies generally fail to address subtlecases of fraud, where the transaction itself may appear genuine.

There is a need for a method of detecting fraud in a more accuratemanner, e.g., a detection of fraudulent transactions that are subtle andalmost identical to genuine transactions using available computingpower, storage capacity and retrieval speed.

SUMMARY OF SOME DEMONSTRATIVE EMBODIMENTS OF THE INVENTION

Embodiments of the invention may perform a method for identifyingfraudulent transactions comprising receiving at least one marledtransaction record and a set of unmarked transaction records; providinga relation value for unmarked transaction records with respect to atleast one marked transaction record, said relation value based on anoutcome of at least one equivalence function; marking transactionrecords satisfying a marking condition based on said relation value; andrepeating said steps of providing a relation value and markingtransaction records until a termination condition is reached.

Embodiments of the invention may provide a system for identifyingfraudulent transactions comprising: a processor to receive at least onemarked transaction record and a set of unmarked transaction records,provide a relation value for unmarked transaction records with respectto at least one marked transaction record, said relation value based onan outcome of at least one equivalence function, mark transactionrecords satisfying a marking condition based on said relation value, andrepeat said steps of providing a relation value and marking transactionrecords until a termination condition is reached.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter regarded as the invention is particularly pointed outand distinctly claimed in the concluding portion of the specification.The invention, however, both as to organization and method of operation,together with objects, features and advantages thereof, may best beunderstood by reference to the following detailed description when readwith the accompanied drawings in which:

FIG. 1 depicts a fraudulent transactions detecting system 10 accordingto one embodiment of the present invention;

FIG. 2 is a exemplary table illustrating transactions database accordingto one demonstrative embodiment of the invention;

FIG. 3 a schematic depiction of a method for detecting fraudulenttransactions in accordance with an embodiment of the invention; and

FIG. 4 a schematic depiction of an exemplary algorithm for detectingfraudulent transactions in accordance with an embodiment of theinvention.

It will be appreciated that for simplicity and clarity of illustration,elements shown in the drawings have not necessarily been drawnaccurately or to scale. For example, the dimensions of some of theelements may be exaggerated relative to other elements for clarity orseveral physical components included in one functional block or element.Further, where considered appropriate, reference numerals may berepeated among the drawings to indicate corresponding or analogouselements. Moreover, some of the blocks depicted in the drawings may becombined into a single function.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

In the following detailed description, numerous specific details are setforth in order to provide a thorough understanding of the invention.However, it will be understood by those of ordinary skill in the artthat the present invention may be practiced without these specificdetails. In other instances, well-known methods, procedures, componentsand circuits may not have been described in detail so as not to obscurethe present invention.

The processes presented herein are not inherently related to anyparticular computer or other apparatus. Various general-purpose systemsmay be used with programs in accordance with the teachings herein, or itmay prove convenient to construct a more specialized apparatus toperform embodiments of a method according to embodiments of the presentinvention. Embodiments of a structure for a variety of these systemsappear from the description herein. In addition, embodiments of thepresent invention are not described with reference to any particularprogramming language. It will be appreciated that a variety ofprogramming languages may be used to implement the teachings of theinvention as described herein.

Unless specifically stated otherwise, as apparent from the followingdiscussions, it is appreciated that throughout the specificationdiscussions utilizing terms such as “processing,” “computing,”“calculating,” “determining,” or the like, refer to the action and/orprocesses of a computer or computing system, or similar electroniccomputing device, that manipulate and/or transform data represented asphysical, such as electronic, quantities within the computing system'sregisters and/or memories into other data similarly represented asphysical quantities within the computing system's memories, registers orother such information storage, transmission or display devices. Inaddition, the term “plurality” may be used throughout the specificationto describe two or more components, devices, elements, parameters andthe like.

Some demonstrative embodiments of the invention may provide a system andmethod for detecting fraudulent transactions, e.g., verifying theauthenticity of a desired transaction as described in detail below.

It will be appreciated that the terms “transaction” as used herein mayrefer to any, transfer of information, transfer of details, e.g.,including currency, goods, services, rights to services and the like.The records may be such made by users communicating over secure ornon-secure channels.

It will be appreciated that the term “channel” for example, as usedherein may refer to any pathway used to convey information from a onecomputing system to a second computing system, e.g., from a transmitterto a receiver. It will be understood that embodiments of the presentinvention may be implemented over secure channels as well as non-securechannels.

FIG. 1 depicts a fraudulent transaction detection system 10 according toone embodiment of the present invention. Referring to FIG. 1, end userssuch as end user 11, end user 12, end user 13 and end user 14 may useterminals such as a personal computer, automated teller machine, PDA,telephone, cellular device, or other computing device. An end user, forexample, end user 14 may wish to conduct a transaction (e.g., log in toan online website or service, make a purchase, open a financial account,etc.) with a central system 20. Users may engage in financialtransactions with central system 20, or central system may obtaintransaction information from other transaction servers with which userstransact. It will be appreciated that the interaction of the centralsystem 20 with users is not necessary for implementation of the presentinvention.

Central system 20 may be, for example, a provider that may provideservices containing, requesting or otherwise using confidential orprivate information, for example, a financial institution (“FI”),government agency, health institution, communication service provider orany other institution, authority, provider or entity. Central system 20may include any sort of central system, for example, a server, aninternet server, an email server, SSL server or any other a centralcomputing system. Anyone of end users 11-14 and central system 20 maycommunicate, for example, via one or more communications network(s) orchannel(s) 15-18 such as, for example, the Internet, wireline orwireless telephone, a cellular system, intranets, data lines, acombination of networks, etc.

Central system 20 may further include, for example, a processor 21, astorage unit 22, and an operating system 24. Central system 20 may beimplemented using any suitable combination of hardware components and/orsoftware components.

Processor 21 may include, for example, a Central Processing Unit (CPU),a Digital Signal Processor (DSP), one or more controllers, or anysuitable specific and/or general and/or multi-purpose processor ormicro-processor or controller. Storage unit 22 may include memory units,for example, Random Access Memory (RAM), Read Only Memory (ROM), DynamicRAM (DRAM), or other suitable memory systems. Operating system 24 mayinclude, for example, Microsoft Windows, Linux, Unix, Apple OS, Solaris,Sun-OS, HP-UX, or other suitable operating systems. It is noted thatprocessor 21, storage unit 22, and/or operating system 24 may includeother suitable components and/or implementations as is known in the art.

In some embodiments of the invention each transaction made by one of enduser 11-14 may have certain characteristics such as transactioninformation also referred to herein as a “record”. A record may includea collection of fields, for example, a transaction time, an IP addressof the transaction performer, a transaction Cookie, a user name, apassword, a credit card number and/or amount of money of thetransaction. Any other information may be included. A record may bestored anywhere accessible by the processor 21, for example, in storageunit 22, and the information may be arranged and/or stored in multiplefields.

Reference is made to FIG. 2, which is an exemplary table illustratingtransactions database according to one demonstrative embodiment of theinvention.

It will be appreciated that the term “database”, as used herein mayrefer to any set of records, e.g., plurality of statistics, data, facts,numbers or other information related to a performed transaction. Eachrecord in a database may include fields, such as the fields denotedabove. It will be understood that embodiments of the present inventionmay implement storing of information configured in forms other than atable such as for example, an array a set, a tree, a hash table or otherdata structures.

Database 200 may include transaction records (column 201), a record mayrepresent the information known of a performed transactions, e.g., arecord may represent an online e-commerce transaction or the like. Theinformation may be stored in fields, for example, time (column 202), IPaddress (column 203), merchant (column 204), transaction amount (column205), credit card number (column 206), cookie (column 207), etc.

Referring back to FIG. 1 database 200 may be stored in, for example,storage unit 22 of central system 20. In some embodiments of theinvention related records may be defined, identified, classified and/orrecognized, for example by processor 21 and/or operating system 24. Insome embodiments, database 200 may be stored externally to centralsystem 20, and may be accessible, for example, by a plurality of centralsystems.

Reference is made to FIG. 3, a schematic depiction of a method fordetecting fraudulent transactions in accordance with an embodiment ofthe invention.

Although the scope of the present invention is not limited in thisrespect, in block 300 an initial set of one or more records may beidentified. For example, the initial subset may be a set of knownfraudulent transactions. According to embodiments of the invention, theinformation provided by the initial subset may be used to find,identify, classify or perform any other operation on records that may berelated to other records in the subset, as described in detail below. Insome embodiments an initial subset of records may be used to separate aset of records into clusters of related records based on the outcomes ofequivalence functions.

In block 310 one or more equivalence functions may be defined. Theseequivalence functions may be useful to locate records related to theinitial subset of records. An equivalence function may be defined basedon one or more fields of a record. In some embodiments, an equivalencefunction, which may differ from field to field, may be defined for eachfield or for a plurality of fields. The equivalence function may providea strength or relevance of connection between records based on acomparison of the relevant fields. In some embodiments of the inventionsome fields may not have an equivalence function. The equivalencefunctions defined to evaluate a particular transaction may be selectedbased on parameters or characteristics of the transaction.

Although the scope of the present invention is not limited in thisrespect, different equivalence functions may be assigned to differentfields and may correspond to the relation, connection, link orrelationship of two or more records. The value or result of theequivalence function value, which may define how tight or close two ormore records may be, is also referred to herein as the strength of theequivalence function. The total strength of the connection between twoor more records may be calculated as a function of all or a plurality ofrelevant strengths of the equivalence functions of their respectivefields, as is described in detail below.

For example, an equivalence function may be strict identity of fields,e.g., two records may be related if the credit card number used for bothtransactions is identical.

In some embodiments of the invention, an equivalence function may bedefined as providing any of a set of discrete outcomes based ondifferent conditions. For example, an equivalence function for a firstidentified transaction and a second transaction based on IP addressfield may provide a low value if only the class B value of the IPaddress is the same, a medium value if the IP address is the same, and ayet higher value if the IP address is the same and the usages are withina predefined period of each other.

In block 320 the strength or value of equivalence functions of variousfields may be calculated based on equivalence functions defined in block310.

In block 330 the total strength of two or more records may be calculatedbased on the strengths of the equivalence functions of their respectivefields which may be calculated in block 320. The total strength may bethe sum total of the equivalence functions of the fields. The totalstrength of, for example, two records may imply or give indication ofthe connection, relation or link between those two records. A givenrecord may have one or more records that may be connected to it, e.g.,whose connection strength with the given record is nonzero.

In some embodiments of the invention the initial set of records, e.g.,provided in block 300, may be marked with a certain fraudulence score orvalue. Such a value may be for example, a number, or any otherindication. The score assigned to marked records, e.g., fraudulentrecords, may be transferred to other, related records, as is describedin detail below. The score may be diluted upon transfer in order toprevent marking all records.

Although the scope of the present invention is not limited in thisrespect, each record in the initial set of records, e.g., provided inblock 300, may assigned a value at a certain level, for example, amaximum level. The related records that may be found, as described indetail below, may be assigned a value based on the value of the recordsto which it is related, and to the strength of the relation based on thestrength of the equivalence function. This value may be lower, e.g.,diluted, relative to the value of the originating record in the initialset. In case the new record is related to several records, its resultingvalue may be less diluted, for example, based on the number of markedrecords to which it is related. This process may be repeated until atermination condition occurs, as described in detail below.

Reference is made to FIG. 4, a schematic depiction of an exemplaryalgorithm for detecting fraudulent transactions in accordance with anembodiment of the invention.

The following illustration outlines a solution architecture according toone embodiment of the present invention; other suitable architecturesare possible in accordance with other embodiments of the invention:

Although the scope of the present invention is not limited in thisrespect, the algorithm may be employed in an online e-commerce system inorder to identify fraudulent transactions. In such an embodiment thatthe records may be online e-commerce transactions in a database.

In block 400 an initial set of transactions to be reviewed for fraud maybe provided. The initial set of transactions may be, for example,fraudulent transactions from charge-back records, from case-managemententries or the like. The transactions provided may be added to adatabase containing all records, each record may be comprised of fields,for example, a record may include the following fields: date, time, IPaddress, merchant, transaction amount, credit card number, permanentcookie, etc.

In block 410 equivalence functions may be defined based on one or morefields of a record. A weight, strength or value of each equivalencefunction may also be defined in accordance with the importance orsignificance of an equivalence function.

For example, the equivalence function of the permanent cookie field maybe defined as equality or identity function, e.g., the algorithm maysearch for the identical permanent cookie in other records. The value orstrength given to such a match may be high, for example, 10 on a scaleof 0 to 10. Another equivalence function may be based on a plurality offields, such as amount, merchant, date and time, e.g., the algorithm maysearch for an identical or near-identical amount and merchant field, andno more than 10 hours difference in date and time fields. The value orstrength given to such an equivalence function may be, for example, 3 ina scale of 0 to 10.

In some embodiments, an equivalence function may be defined to providediscrete values for different circumstances. For example, oneequivalence function may provide a value of 4 based on an identical ofIP address within 10 minutes and a value of 1 based on mere identity ofthe class B value of the IP address.

In block 420 parameters and conditions used with the algorithm, such astotal strength or value of a record, initial value of a record andtermination condition of the algorithm may be defined. Other parametersand conditions may be defined.

For example, the total strength of a record may be defined as the sum ofall equivalence function strengths, initial value may be defined as aconstant, e.g., 100, and a fade effect may be the total strength dividedby 25, multiplied by the value of the record already in the set. Thetermination condition may be defined as number of iterations, e.g., 2iterations.

In block 430, a record from the marked set of records may be chosen. Themarked set of records may include at least the initial set of records.In subsequent iterations, the marked set may include records marked in aprevious iteration, as described in detail in block 460. For example,with reference to FIG. 2 the initial set may include records 1 and 3. Inthe below example, record 1 may be chosen.

In block 440 the equivalence functions of all records may be calculatedwith reference to the record chosen in block 430. For example, withreference to FIG. 2 the equivalence functions of records 2 and 4-10 maybe calculated with reference to record 1. In this embodiment, record 3,which is included in the initial set and known to be fraudulent need notbe examined.

In block 450 a determination may be made as to whether the equivalencefunctions of all records have been calculated with reference to everyrecord from the marked list. For example, with reference to FIG. 2 inthe first iteration after equivalence functions of records 2 and 4-10have been calculated with reference to record 1 a transition is made toblock 430 and record 3 may be chosen.

In block 460 all records connected or related to records from the markedset may be found, e.g., based on the value calculated in block 440, andadded to the marked list.

For example, with reference to FIG. 2 in the first iteration, thealgorithm may find the following records as connected to record 1:

For record 2 (same IP address, 3 minutes apart), the total strengthcalculated may equal 4. Therefore, record 2 may be marked with value 16and may be added to the marked list.

For record 8 (same card number), the total strength calculated may equal5. Therefore, record 8 may be marked with value 20 and may be added tothe marked list.

In the first iteration, the algorithm may also find the followingrecords as connected to record 3:

For record 6 (same card, same cookie), the total strength calculated mayequal 15. Therefore, record 8 may be marked with value 60 and may beadded to the marked list.

In block 470, a determination may be made as to whether a terminationcondition has been reached. A termination condition may be, for example,a maximum number of iterations, whether new records remain to be addedto the marked set, whether there remain new records with calculatedvalue above a certain threshold to be added to the marked set. Othertermination conditions may be used.

If no termination condition is met, a transition loop may be made backto block 430. For example, with reference to FIG. 2 a second iterationmay look for records connected to records 2, 8 and 6.

For record 2, record 10 may be found having identical card number. Thetotal strength calculated may equal 5. Thus, record 10 may be markedwith value 3.2 (i.e., 5 times 16 divided by 25) and may be added to themarked list.

For record 8, no connected records may be found.

For record 6, record 7 may be found having identical merchant andamount, within a time difference of 2 minutes. The total strengthcalculated may be 3. Thus, record 7 may be marked with value 7.2 (i.e.,3 times 60 divided by 25) and may be added to the marked list.

In block 480, the results, e.g., the current marked list, may bereviewed. The marked list may include all records from the initial setprovided and may also include all records which may be related to theoriginal given set of records. The value of each record may indicate alevel of relation to the original initial set of records.

For example, with reference to FIG. 2, and based on the above providedequivalence functions and termination condition, records 1 and 3 may behighly connected to the original set (level 100), other records may bealso connected to the original set, e.g., record 6 (level 60), record 8(level 62), record 2 (level 16), record 7 (level 7.2) and record 10(level 3.2). Records 4, 5 and 9 may be found as unrelated since no valuelevel is attached to them. The system may apply a threshold minimumvalue for determining a fraudulent transaction after a number ofiterations.

Although the scope of the present invention is not limited in thisrespect, for example in fraud detection, the color level may beindicative of fraud. The stronger the value associated with atransaction, the greater the likelihood that a transaction isfraudulent. Embodiments of the present invention may therefore enablefraud-fighters to locate seemingly innocent and unrelated transactionsuch as, for example, record 7, and to flag the transaction asfraudulent, although the transaction may not have any obvious connectionwith any of the known fraudulent transactions, e.g., records 1 and 3.

It should be obvious that the above implementation of the method (e.g.performing iterations) is merely one possible implementation, and thatother possibilities are available for listing the related records, forexample, employing complex SQL queries to simultaneously find allrelated records of all records in the initial set, and so forth.

Various devices, architectures, and sets of devices may form a systemaccording to various embodiments of the present invention, and mayeffect a method according to embodiments of the present invention.Methods according to various embodiments of the present invention may beexecuted by one or more processors or computing systems (includingmemories, processors, software, databases, etc.), which, for example,may be distributed across various sites or computing platforms.Alternatively, some methods according to embodiments may be executed bysingle processors or computing systems.

Embodiments of the present invention may be implemented by software, byhardware, or by any combination of software and/or hardware as may besuitable for specific applications or in accordance with specific designrequirements. Embodiments of the present invention may include units andsubunits, which may be separate of each other or combined together, inwhole or in part, and may be implemented using specific, multi-purposeor general processors, or devices as are known in the art. Someembodiments of the present invention may include buffers, registers,storage units and/or memory units, for temporary or long-term storage ofdata and/or in order to facilitate the operation of a specificembodiment.

While certain features of the invention have been illustrated anddescribed herein, many modifications, substitutions, changes, andequivalents may occur to those of ordinary skill in the art. It is,therefore, to be understood that the appended claims are intended tocover all such modifications and changes as fall within the true spiritof the invention.

1. A method for identifying fraudulent transactions comprising:receiving, by a processor, a set of at least one marked transactionrecord each transaction record in said set of marked transaction recordsrespectively associated with a fraud score indicating a fraudulenttransaction and a set of unmarked transaction records; for each unmarkedtransaction record in the set of unmarked transaction records,generating, by the processor, a relation value for the unmarkedtransaction record with respect to at least one marked transactionrecord, said relation value based on an outcome of at least oneequivalence function therebetween; associating, by the processor,unmarked transaction records satisfying a marking condition with a fraudscore, said fraud score based on said relation value of the unmarkedtransaction record with respect to the marked transaction record and itsrespective fraud score, thereby rendering unmarked transaction recordshaving a fraud score as newly marked transaction records; and repeatingsaid steps of generating a relation value and associating unmarkedtransaction records with a fraud score using the marked and newly markedtransaction records as the set of marked transaction records, until atermination condition is reached.
 2. The method of claim 1, furthercomprising after said termination condition is reached, reporting saidmarked transaction records as fraudulent.
 3. The method of claim 2,wherein said relation value is based on outcomes of a plurality ofequivalence functions applied to unmarked transaction records withrespect to said marked transaction record.
 4. The method of claim 3,wherein said transaction records each include a plurality of data fieldsand said plurality of equivalence functions compare at least one datafield in said unmarked transaction records to corresponding at least onedata field in said marked transaction record.
 5. The method of claim 4,wherein said transaction records include information selected from theset consisting of: date of transaction, time of transaction, merchant,transaction amount, IP address, account number, and cookie.
 6. Themethod of claim 4, wherein said data fields include an IP address, andsaid plurality of equivalence functions includes an equivalence functioncomparing an IP address associated with said unmarked transactionrecords with an IP address of said marked record.
 7. The method of claim4, wherein said data fields include a transaction amount, and saidplurality of equivalence functions includes an equivalence functioncomparing a transaction amount associated with said unmarked transactionrecords with a transaction amount of said marked record.
 8. The methodof claim 4, wherein said data fields include a credit card number, andsaid plurality of equivalence functions includes an equivalence functioncomparing a credit card number associated with said unmarked transactionrecords with a credit card number of said marked record.
 9. The methodof claim 4, wherein said data fields include a merchant, and saidplurality of equivalence functions includes an equivalence functioncomparing a merchant associated with said unmarked transaction recordswith a merchant of said marked record.
 10. The method of claim 4,wherein said data fields include a date and a time, and said pluralityof equivalence functions includes an equivalence function comparing adate and a time associated with said unmarked transaction records with adate and a time of said marked record.
 11. The method of claim 4,wherein said data fields include a cookie, and said plurality ofequivalence functions includes an equivalence function comparing acookie associated with said unmarked transaction records with a cookieof said marked record.
 12. The method of claim 4, wherein said relationvalue for each unmarked record comprises a sum of the outcomes of theplurality of equivalence functions applied to said unmarked transactionrecord with respect to said marked transaction record.
 13. The method ofclaim 12, wherein said marking condition is a maximum number ofrepetitions of the steps of providing a relation value for unmarkedtransaction records and marking transaction records satisfying a markingcondition based on said relation value.
 14. A system for identifyingfraudulent transactions comprising: a processor to receive a set of atleast one marked transaction record each transaction record in said setof marked transaction records respectively associated with a fraud scoreindicating a fraudulent transaction and a set of unmarked transactionrecords, for each unmarked transaction record in the set of unmarkedtransaction records generate a relation value for the unmarkedtransaction record with respect to at least one marked transactionrecord, said relation value based on an outcome of at least oneequivalence function therebetween, associate unmarked transactionrecords satisfying a marking condition with a fraud score, said fraudscore based on said relation value of the unmarked transaction recordwith respect to the marked transaction record and its respective fraudscore, thereby rendering unmarked transaction records having a fraudscore as newly marked transaction records, and repeat said steps ofgenerating a relation value and associating transaction records with afraud score using the marked and newly marked transaction records as theset of marked transaction records, until a termination condition isreached.
 15. The system of claim 14, wherein said processor is furtherto report said marked transaction records as fraudulent.
 16. The systemof claim 15, wherein said relation value is based on outcomes of aplurality of equivalence functions applied to unmarked transactionrecords with respect to said marked transaction record.
 17. The systemof claim 16, wherein said transaction records each include a pluralityof data fields and said plurality of equivalence functions compare atleast one data field in said unmarked transaction records tocorresponding at least one data field in said marked transaction record.18. The system of claim 17, wherein said transaction records includeinformation selected from the set consisting of: date of transaction,time of transaction, merchant, transaction amount, IP address, accountnumber, and cookie.
 19. The system of claim 17, wherein said data fieldsinclude an IP address, and said plurality of equivalence functionsincludes an equivalence function comparing an IP address associated withsaid unmarked transaction records with an IP address of said markedrecord.
 20. The system of claim 17, wherein said data fields include atransaction amount, and said plurality of equivalence functions includesan equivalence function comparing a transaction amount associated withsaid unmarked transaction records with a transaction amount of saidmarked record.
 21. The system of claim 17, wherein said data fieldsinclude a credit card number, and said plurality of equivalencefunctions includes an equivalence function comparing a credit cardnumber associated with said unmarked transaction records with a creditcard number of said marked record.
 22. The system of claim 17, whereinsaid data fields include a merchant, and said plurality of equivalencefunctions includes an equivalence function comparing a merchantassociated with said unmarked transaction records with a merchant ofsaid marked record.
 23. The system of claim 17, wherein said data fieldsinclude a date and a time, and said plurality of equivalence functionsincludes an equivalence function comparing a date and a time associatedwith said unmarked transaction records with a date and a time of saidmarked record.
 24. The system of claim 17, wherein said data fieldsinclude a cookie, and said plurality of equivalence functions includesan equivalence function comparing a cookie associated with said unmarkedtransaction records with a cookie of said marked record.
 25. The systemof claim 17, wherein said relation value for each unmarked recordcomprises a sum of the outcomes of the plurality of equivalencefunctions applied to said unmarked transaction record with respect tosaid marked transaction record.
 26. The system of claim 25, wherein saidmarking condition is a maximum number of repetitions of the steps ofproviding a relation value for unmarked transaction records and saidprocessor is to mark transaction records satisfying a marking conditionbased on said relation value.
 27. The method of claim 1, wherein thefraud score of said newly marked transaction record is diluted in valuecompared to the fraud scores of the received marked transaction records.28. The system of claim 14, wherein the fraud score of said newly markedtransaction records is diluted in value compared to the fraud score ofthe received marked transaction records.